Platform
php
Component
tuleap
Fixed in
16.13.100
17.0.1
16.13.1
16.12.1
CVE-2025-64482 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Tuleap, an open-source suite for managing software development and collaboration. This flaw allows an attacker to potentially manipulate the commit rules or immutable tags of an SVN repository by tricking authenticated users. The vulnerability impacts Tuleap Community Edition prior to version 16.13.99.1762267347 and Tuleap Enterprise Edition prior to versions 17.01-, 16.13-6, and 16.12-9. The issue is resolved in Tuleap Enterprise Edition 17.0.1.
Successful exploitation of CVE-2025-64482 could allow an attacker to gain unauthorized control over an SVN repository within a Tuleap environment. This could involve modifying commit rules, effectively bypassing version control restrictions and potentially injecting malicious code into the codebase. The attacker could also alter immutable tags, disrupting the integrity and traceability of software releases. The blast radius extends to any users with access to the affected SVN repository, as they could be tricked into performing actions they did not intend. While no direct data exfiltration is described, the compromise of the repository could lead to further attacks and data breaches.
CVE-2025-64482 was publicly disclosed on 2025-11-12. There is no indication of this vulnerability being actively exploited at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not currently available, but the CSRF nature of the vulnerability means that exploitation is likely possible with moderate effort.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64482 is to upgrade Tuleap Enterprise Edition to version 17.0.1 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting access to the file release system to trusted users only. Implement strict input validation and output encoding on all user-supplied data to reduce the attack surface. Consider using a Web Application Firewall (WAF) with CSRF protection rules to block malicious requests. After upgrading, confirm the fix by attempting a CSRF attack on the file release system and verifying that the request is blocked.
Update Tuleap Community Edition to version 16.13.99.1762267347 or later. For Tuleap Enterprise Edition, update to version 17.0-1, 16.13-6, or 16.12-9 or later, as appropriate for your version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64482 is a Cross-Site Request Forgery vulnerability in Tuleap Enterprise Edition allowing attackers to manipulate SVN repository settings through tricking authenticated users. It impacts versions ≤17.0-1.
If you are running Tuleap Enterprise Edition versions prior to 17.0.1, you are potentially affected by this CSRF vulnerability. Check your version and upgrade immediately.
Upgrade Tuleap Enterprise Edition to version 17.0.1 or later to resolve the CSRF vulnerability. Consider temporary workarounds like restricting access to the file release system if immediate upgrade is not possible.
There is currently no evidence of CVE-2025-64482 being actively exploited, but the CSRF nature of the vulnerability makes exploitation possible.
Refer to the official Tuleap security advisory for CVE-2025-64482 on the Tuleap website or security mailing list for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.